SIM-Swapping, Explained: How Criminals Steal Your Phone Number (and Empty Your Accounts)

How SIM-swap fraud hijacks your number to beat SMS 2FA, who's targeted, warning signs, defenses, and how to report it in the US, India and UK.

Your phone goes dead — no bars, no calls, no texts. Minutes later, the password-reset codes that protect your email, bank and crypto wallet are landing on a stranger’s handset instead of yours. That is SIM-swapping: a fraud that does not hack your phone at all, but tricks or bribes your mobile carrier into handing your number to a criminal. This guide explains how the attack works, why it defeats SMS codes, the warning signs, how to defend yourself, and how to report it in the US, India and the UK.

On this page: What SIM-swapping is · How the attack works · Why it beats SMS 2FA · By the numbers · In the wild · Warning signs · How to protect yourself · If it happens to you · How to report · FAQ · Sources

982SIM-swap complaints to the FBI’s IC3 in 2024

$26MReported US SIM-swap losses in 2024 (FBI IC3)

$263MCrypto stolen by one SIM-swap & social-engineering ring charged by the US DOJ

What SIM-swapping is

SIM-swapping — also called SIM hijacking or port-out fraud — is a form of account takeover in which a criminal transfers your mobile phone number to a SIM card they control. Once the number is theirs, every call and text meant for you, including security codes, goes to their device.

The key thing to understand is that nothing on your phone is “hacked.” The weak point is the carrier’s account-recovery process: an attacker who can answer a few security questions, present a fake ID, or pay off a store employee can convince the carrier to move your number — no malware required.

There are two closely related variants:

SIM swap: your number is reassigned to a new SIM within the same carrier.
Port-out fraud: your number is moved to a different carrier, abusing the legitimate number-portability system that normally lets you keep your number when you switch providers.

How the attack works

A typical SIM-swap unfolds in stages:

Reconnaissance. The attacker gathers your name, number, date of birth, address and partial account details — from data breaches, phishing, social media, or criminal markets.
Impersonation. Posing as you, they contact your carrier (by phone, in a store, or online) and request the number be moved to a new SIM or ported out, often using a forged ID or a “lost phone” pretext.
Insider help (sometimes). Sometimes the criminal does not need to fool anyone — they bribe a telecom employee to perform the swap directly. US prosecutors have charged store and call-centre staff paid per swap.
The cutover. The instant the swap completes, your phone loses service and the attacker’s device gains it.
The takeover. Using “forgot password” flows, the attacker triggers SMS or call-based reset codes — now delivered to them — and seizes your email, bank, exchange and social accounts. Email is the prize — it unlocks everything else.
Cash-out. Funds are drained and crypto is moved before you regain control of your number.

Why it beats SMS 2FA

Two-factor authentication (2FA) is meant to ensure that stealing your password is not enough. But when the “second factor” is a code texted to your phone number, SIM-swapping defeats it by design: the attacker now owns the number, so they receive the code as if they were you.

This is why security agencies increasingly describe SMS as the weakest form of 2FA. It is still better than no 2FA — but it guards against remote password theft, not against someone who has captured your number. Factors that are not tied to your phone number — authenticator apps, hardware keys and passkeys — are not exposed to a SIM swap. See our explainer on passkeys, the phishing- and swap-resistant replacement for passwords.

By the numbers

SIM-swapping is a small share of cybercrime by complaint count, but each incident is high-impact. According to the FBI’s Internet Crime Complaint Center (IC3):

2024: 982 complaints and roughly $26.0 million in reported US losses.
2023: 1,075 complaints and about $48.8 million.
2022: 2,026 complaints and roughly $72.7 million.

Reported figures have declined since 2022 — partly attributed to stronger carrier safeguards — but they capture only complaints filed with IC3 in the US, so they understate the true global total. Losses per victim remain severe, especially in crypto cases.

In the wild

The fake Bitcoin-ETF tweet (US, 2024). On 9 January 2024, the US Securities and Exchange Commission’s official @SECGov account on X was hijacked to post a false claim that spot Bitcoin ETFs had been approved. Bitcoin briefly spiked more than $1,000 before falling over $2,000 once the post was corrected. The DOJ charged Eric Council Jr., who used a printed fake ID to impersonate the victim at an AT&T store in Huntsville, Alabama, obtain a replacement SIM and capture the account’s reset codes. He was sentenced in May 2025 to 14 months in prison.

A $263 million crypto heist (US, charged 2024–2025). The DOJ unsealed racketeering charges against a ring that combined SIM swaps, fake support calls and other social engineering to steal cryptocurrency, including more than 4,100 Bitcoin — worth about $263 million at the time — from a single Washington, D.C. victim in August 2024. Multiple defendants have pleaded guilty.

Telecom insiders for hire. Swaps are often enabled from the inside. In one New Jersey case, a telecom employee admitted taking bribes — paid in Bitcoin — to swap customers’ numbers so co-conspirators could drain accounts. Like the crypto stolen in pig-butchering investment scams, such transfers are typically irreversible.

Warning signs

Act immediately if you notice any of these:

Sudden loss of service — no signal, calls, or texts when your area and bill are fine, and a reboot does not fix it.
“SIM changed” or “port request” notifications you did not initiate, by text, email or app alert.
Unexpected password-reset or login alerts for email, bank or crypto accounts.
Being locked out of accounts whose recovery is tied to your phone number.
Calls or texts from your carrier confirming changes you never asked for.

Treat a sudden loss of service as an emergency — the window between cutover and theft is often minutes.

How to protect yourself

No single step is enough; layer these defences:

Set a carrier port-out PIN or account lock. Every major carrier offers a separate number-transfer PIN or “Number Lock” feature required before any SIM change or port. Enable it — this is the single most important step.
Move off SMS 2FA where it matters. Use an authenticator app (TOTP) or, better, hardware keys and passkeys for email, banking and crypto. Keep SMS only where nothing else is offered.
Protect your email first. It is the master key to your other accounts; give it the strongest factor available and a non-phone recovery method.
Use unique, strong passwords in a password manager so one breach does not cascade.
Reduce your data exposure. Limit personal details you post publicly, and be alert to phishing that fishes for carrier security answers.
Never use your phone number as a recovery or login method for high-value accounts where an app-based or hardware option exists.

For a broader walkthrough of account hardening and incident response, see our cybercrime help hub.

If it happens to you

Speed matters. In order:

Contact your carrier immediately from another phone; report the fraudulent swap and demand the number be restored and the account locked.
Lock down your money. Call your bank and any exchange to freeze accounts and halt transfers.
Reset passwords from a secure device — email first — and switch accounts off SMS recovery onto an authenticator app or security key.
Revoke active sessions and check recovery settings (backup email, phone, forwarding rules) the attacker may have changed.
Document everything: times, amounts, screenshots and staff names — you will need this to report and dispute charges.
Report it to the authorities below and place fraud alerts or credit freezes if identity theft is involved.

How to report

United States: File with the FBI’s Internet Crime Complaint Center at ic3.gov; report fraud and identity theft to the FTC at reportfraud.ftc.gov and identitytheft.gov; the FCC handles complaints about carrier handling of SIM swaps and port-outs.
India: Call the national cyber-crime helpline 1930 and file at cybercrime.gov.in (the National Cybercrime Reporting Portal, run by the I4C under the Ministry of Home Affairs). Reporting financial fraud fast (the “golden hour”) improves the odds of freezing funds.
United Kingdom: Report to Action Fraud at actionfraud.police.uk or call 0300 123 2040 (England, Wales and Northern Ireland; Scotland reports to Police Scotland on 101).

Frequently asked questions

Can someone SIM-swap me without any insider at the carrier?

Yes. Many swaps rely purely on social engineering — impersonating you with stolen personal data, security-question answers, or a forged ID — without any complicit employee. Insider bribery is one route, not the only one.

Does a strong password protect me from a SIM swap?

Not on its own. A SIM swap targets your phone number to intercept reset codes, so the attacker can bypass the password entirely through “forgot password” flows. A carrier port-out PIN plus non-SMS 2FA is what actually blocks the attack.

Why is SMS two-factor authentication considered weak?

Because the “second factor” is tied to a phone number that can be hijacked. Authenticator apps, hardware keys and passkeys generate or hold credentials on a device the attacker does not control, so a SIM swap cannot capture them.

Have new laws made SIM-swapping harder?

In the US, FCC rules adopted in November 2023 (carrier compliance from July 2024) require providers to authenticate customers before SIM changes or ports, notify customers of requests, and offer account-lock features. They raise the bar but do not eliminate the risk, especially from insiders.